[Date Prev][Date Next] [Chronological] [Thread] [Top]

Protocol: TLS closure



Taking up the thread which was aborted after message
<http://www.OpenLDAP.org/lists/ietf-ldapbis/200212/msg00007.html>:

I would like to see this paragraph removed from [Protocol]
4.13.3.1 (Graceful Closure):

   Before sending a TLS closure alert, the client MUST either wait for 
   any outstanding LDAP operations to complete, or explicitly abandon 
   them.  

I don't see the point of this requirement.  Servers must in any case be
well-behaved if the clients break this requirement.  And since abandon
requests need not be honored, the requirement doesn't really gain us
anything.

Jim said he believed the intent was to get the client to understand that
no outstanding operations will be replied to once the server recieves
the TLS closure.  But if that's the intent, that's what it should say.
Which it now does, actually:

   After the TLS connection has been closed, the server MUST NOT send 
   responses to any request message received before the TLS closure. 

If you think removing the paragraph about abandons makes things too
unclear, you could add this to the last paragraph:

   The server may or may not perform some of these requests, as long as
   it does not send their responses.

and maybe add this instead of the first quoted paragraph:

   Before sending a TLS closure alert, the client MUST wait for the
   responses to any outstanding LDAP operations to which is wants
   responses.

That statement is redundant, it's just a consequence of what is already
stated, but it might make things clearer.

-- 
Hallvard